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Abstract 

Hardcore functions have been used as a technical tool to construct secure cryptographic systems; how- 
ever, little is known on their quantum counterpart, called quantum hardcore functions. With a new insight 
into fundamental properties of quantum hardcores, we present three new quantum hardcore functions 
for any (strong) quantum one-way function. We also give a "quantum" solution to Damgard's question 
(CRYPTO'88) on a classical hardcore property of his pseudorandom generator, by proving its quantum 
hardcore property. Our major technical tool is the new notion of quantum list-decoding of "classical" 
error-correcting codes (rather than "quantum" error-correcting codes), which is defined on the platform 
of computational complexity theory and computational cryptography (rather than information theory). 
In particular, we give a simple but powerful criterion that makes a polynomial-time computable classical 
block code (seen as a function) a quantum hardcore for all quantum one-way functions. On their own 
interest, we construct efficient quantum list-decoding algorithms for classical block codes whose associated 
quantum states (called codeword states) form a nearly phase-orthogonal basis. 

Keywords: quantum hardcore, quantum one-way, quantum list-decoding, codeword state, phase orthog- 
onal, presence, Johnson bound 

AMS Subject Classifications: 14G50, 81P68, 94A60 

1 From Hardcores to List Decoding 

Modern cryptography heavily relies on computational hardness and pseudorandomness. One of its key notions 
is a hardcore bit for a one-way function — a bit that could be determined from all the information available 
to the mighty adversary but still looks random to any "feasible" adversary. A hardcore function transforms 
the onewayness into pseudorandomness by generating such hardcore bits of a given one-way function. Such 
a hardcore function is a crucial element of the construction of a pseudorandom generator as well as a bit 
commitment protocol from a one-way permutation. A typical example is the inncr-product-mod-two function 
GL x (r) of Goldreich and Levin [16j . computing (x, r), the bitwise inner product modulo two, which constitutes 
a hardcore bit for any (strong) one-way function!]] Since GL x (r) equals the rth bit of the codeword HADfj 2 ' = 
((x, 0"), (x, 0" _1 1), • • • , (x, 1™)) of message a; of a binary Hadamard code, Goldreich and Levin essentially gave 
a polynomial-time list-decoding algorithm for this Hadamard code. Later, Goldreich, Rubinfeld, and Sudan 
[17] discussed the hardcore property of <?-ary Hadamard codes. In the recent literature, list-decoding has kept 
playing a key role in a general construction of hardcores [3J [55] . 

Thirteen years later, the "quantum" hardcore property (i.e., a hardcore property against any feasible 
"quantum" adversary) of GL^-) was shown by Adcock and Cleve pQ, who implicitly gave a simple and 
efficient quantum algorithm that recovers x from the binary Hadamard code by exploiting the robust nature 
of a quantum algorithm of Bernstein and Vazirani [7] • The simplicity of the proof of Adcock and Cleve can be 
best compared to the original proof of Goldreich and Levin, who employed a rather complicated algorithm with 
powerful techniques: self-correction property of the aforementioned Hadamard code and pairwise independent 



*An extended abstract appeared in the Proceedings of the 33rd International Colloquium on Automata, Languages and 
Programming (ICALP 2006), Lecture Notes in Computer Science, Vol.4052 (Part II), pp. 216-227. Venice, Italy. July 10-14, 
2006. 

t Literally speaking, this statement is slightly misleading. To be more accurate, such a hard-core function concerns only the 
one-way function of the form f'(x,r) = (f(x),r) with |r| = poly(\x\) induced from an arbitrary strong one-way function /. See, 
e.g., |15| for a detailed discussion. 
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sampling. This highlights a significant role of robust quantum computation in the case of list-decoding (and 
thus hardcores); however, it has been vastly unexplored until our work except for a quantum decoder of Barg 
and Zhou [B] for simplex codes. No other quantum hardcore has been proven so far. The efficiency of robust 
quantum algorithms with access to biased oracles has been also discussed in a different context [H [9] [24] • 

As our main result, we present three new quantum hardcore functions: q-ary Hadamard codes HAD*- 9 ', 
shifted Legendre symbol codes SLS P , and pairwise equality codes PEQ (see Section [2] for their definitions), 
for any (strongly) quantum one-way function. The first hardcore function is a (nontrivial) extension of the 
aforementioned result of Adcock and Cleve [l] , and the latter two are not yet known to be classical hardcores 
(see, e.g., |18|). With regard to SLS P , in particular, we can prove the quantum hardcore property of Damgard's 
pseudorandom generator This gives a "quantum" solution to his question of whether his generator has 
the classical hardcore property (this is also listed as an open problem in [18]). 

Our argument proceeds by relating proving the quantum hardcore property of a given code C (seen as a 
function) to solving the quantum list-decoding problem for C via direct access to a quantum- computationally 
(or quantumly) corrupted codeword, which is given as a black-box oracle. A quantum list-decoding algorithm 
(called a quantum list-decoder) tries to list all message candidates whose codewords match the quantumly- 
corrupted codeword within a certain error rate bound. Let us first assume that the target function C is not any 
quantum hardcore for a certain quantum one-way function /', of the form f'{x,r) = (/(x),r), induced from 
another quantum one-way function /. Next, we reduce proving the quantum hardcore property to constructing 
a polynomial-time quantum list-decoder. Using this list-decoder, we further construct a polynomial-time 
quantum algorithm that inverts /' with reasonable probability. This clearly contradicts the one-wayness of /' 
and hence proves the quantum hardcore property of C, as requested. Therefore, our major task of this paper 
is to present fast quantum list-decoders for the aforementioned three codes. 

Our proof technique exploits the quantum list-decodability of classical error-correcting codes (rather than 
quantum error-correcting codes). For our purpose, we formulate the notion of complexity-theoretical quantum 
list-decoding as a means of message recovery with quantum-computational errors rather than information- 
theoretical errors, which are usually associated with classical transmission errors. This notion naturally ex- 
pands the classical framework of list-decoding. Most significantly, our quantum list-decoders tend to be more 
query-efficient than their classical counterparts; namely, the quantum list-decoders have lower query complex- 
ity, which refers to the total number of queries to a given quantumly corrupted codeword. For instance, we 
can build a quantum list-decoder for a q-aiy Hadamard code HAD' 9 ' that requires significantly fewer queries 
than any well-known classical list-decoder for HAD*- 9 * 1 . 

Intuitively, a quantumly corrupted codeword expresses the behaviors of (possibly) faulty quantum encoders. 
In classical list-decoding, a "classically" corrupted codeword is generated by a faulty channel as a result of 
its transmission error. Particularly, it is useful to treat transmission error as a faulty encoding process of 
messages to codewords when we seek applications of list-decoding in computational complexity. Another 
key notion of this paper is a useful quantum state, called a (k-shuffled) codeword state, which uses quantum 
"phase" to store the information on a given codeword. Similar states have appeared to play a key role in 
several quantum algorithms in the recent literature [7] 1131 1191 129j . We then reduce constructing a quantum 
list-decoder to constructing a quantum codeword-state decoder (i.e., a quantum algorithm that recovers a 
message x from a codeword state which is given as an input). Quantum algorithms of van Dam, Hallgren, 
and Ip 29J to "hidden shift" problems are actually an early example of quantum codeword-state decoders. In 
our key lemmas, we show (i) how to generate such a codeword state from any (even adversarial) quantumly 
corrupted codeword and (ii) how to convert a codeword-state decoder to a quantum list-decoding algorithm 
working with a quantumly corrupted codeword. The robust construction made in the course of our proofs 
also provides a useful means, known as "hardness" reduction, which is often crucial in the security proof of a 
quantum cryptosystem. Using pretty good measurement jT4l [21] , we can present a generic way of proving the 
quantum list-decodability of a code if the set of its corresponding codeword states forms a "nearly" orthogonal 
basis. This construction method is general and constructive but not time-efficient. For particular circulant 
codes, such as SLS P , however, we can give explicitly a quantum list-decoding algorithm. 

Classical list-decodable codes have provided numerous applications in classical computational complexity 
theory, including proving hardcores for any one-way function, hardness amplification, and derandomization 
(see, e.g., 28 ). Because our formulation of quantum list-decoding naturally extends classical one, many 
classical list-decoding algorithms work in our quantum setting as well. This will make our quantum list- 
decoding a powerful tool in quantum complexity theory and quantum computational cryptography. 
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2 New Quantum Hardcore Functions 



We briefly give the formal definitions to the core concepts of this paper — quantum one-way functions and 
quantum hardcore functions and then state our main contributions to the emerging field of quantum cryp- 
tography. We assume the reader's basic knowledge on quantum computation. Our underlying computation 
model is quantum Turing machines 7, 30 and quantum circuits [31] . Informally, we use the term "quantum 
algorithm" to describe a description of a certain unitary operator, possibly together with a specific projection 
measurement at the end of a computation. For convenience, the notation A(x) for a quantum algorithm A 
and an input x denotes a random variable representing the outcome of the execution of A on input x. 



2.1 Quantum Hardcore Property 

We begin with the notion of quantum one-way junctions, which straightforwardly expands the classical one- 
way functions introduced first by Diffie and Hellman p~2] in 1976. Let N denote the set of all nonnegative 
integers. 

Definition 2.1 (quantum one-wayness) Let E be any alphabet. A function / from E* to E* is called 
(strongly) quantum one-way if (i) there exists a polynomial-time deterministic algorithm G computing / and 
(ii) for any polynomial-time quantum algorithm A, for any positive polynomial p, and for any sufficiently large 
numbers n G N, 

Prob x£E n^ [f(A(f(x), 1")) = /(a)] < -L 

where x is uniformly distributed over S" and the subscript A is a random variable determined by measuring 
the final state of A in the computational basis. This paper considers only length-regular one-way functions, 
where a function / mapping N to N is called length regular if, for every string x G £*, |/(x)| = ^(|x|) for a 
certain length function £(n). 

Because of the deterministic feature of the above /, all quantum one-way functions are indeed classically 
one-way. For any quantum one-way function /, the notation /' denotes the function induced from / by 
the following randomization scheme: f'(x,r) — (/(x),r) for all x,r G E* with \r\ — poly(\x\), where the 
notation (y, r) means the concatenation of y and r following y. Notice that /' is also a quantum one-way 
function. Throughout this paper, we deal only with quantum one-way functions of this form, which is in direct 
connection to the following notion of quantum hardcore functions. 

The notion of a classical hardcore was first discussed by Blum and Micali [H] in 1984. A hardcore measures 
the hardness of predicting the value h{x) from f(x) without knowing x as an explicit input. We define a 
hardcore function h mapping E" to E^™-* by the notion of indistinguishability between h{x) and a truly random 
variable z over £ f ( n ) rather than the notion of nonapproximability. This is because indistinguishability and 
nonapproximability define the same hardcore notion as long as the output size of hardcore functions is limited 
to O(logn) (see, e.g., [15]). 

Definition 2.2 (quantum hardcore) Let E be any alphabet and let / be any length-regular function from 
E* to E*. A polynomial-time computable function h with length function £(n) is called a quantum hardcore 
(function ) of / if, for any polynomial-time quantum algorithm A, for any polynomial p, and for any sufficiently 
large number n G N, 



Prob xe xn tA [A(f(x),l n ) = h{x)] 1 



1 

< 



p(nY 



where x is uniformly distributed over E™ and the subscript A is a random variable determined by measuring 
the final state of A in the computational basis. 

Since every classical randomized algorithm can be translated into a special form of a quantum algorithm, 
every classical hardcore is also a quantum hardcore. We are mostly interested in the property that a function 
h becomes a quantum hardcore of any quantum one-way function /' (of the form f'(x,r) = (f(x),r) for an 
appropriate quantum one-way function /). Succinctly, we refer to this property as the quantum hardcore 
property of h. 

As a main theme of this paper, we consider only functions expressed in the forms of block (error-correcting) 
codes. Generally speaking, a block (error-correcting) code is a set of strings of the same length over a finite 
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alphabet. Each string in a code is indexed by a message and is called a codeword. For our purpose, we are 
focused on a family of codes, which is specified by a series {(S n , I n , r ra )} nG N of message space £„, index set I n , 
and code alphabet T n associated with a length parameter n. For convenience, we write E* for the set UneN 

As standard now in computational complexity theory, we view the code C as a function that, for each 
message length n (which serves as a basis parameter in this paper), maps £„ x I n to r„. We sometimes 
write C*-™- 1 to denote the code C restricted to messages of length n. Notationally, we set N(n) — |E n | and 
q(n) = \T n \. It is convenient to assume that £„ = (r n )™ so that n actually represents the length of a message 
over r„. By abbreviating C(x,r) as C x (r), we also treat C x (-) as a function mapping /„ to r„. Denote by 
M{n) the block length \I n \ of each codeword. We simply set 7„ = {0, 1, . . . , M(n) — 1}, each element of which 
can be expressed in |~log 2 M(n)] bits. We freely identify C x with the vector (C x (0), C x (l), ■ ■ ■ , C x (M(n) — 1)) 
in the ambient space (T n ) M ^ of dimension M(n). We often work on a finite field and it is convenient to regard 
r„ as the finite field F 9 („) (= GF(g(n))) of order g(n), provided that q(n) is a prime power. The (Hamming) 
distance d(C x ,C y ) between two codewords C x and C y is the number of non-zero components in the vector 
C x — C y . In contrast, A(C x ,C y ) denotes the relative (Hamming) distance d(C x ,C y )/M(n). Moreover, the 
distance d{n) of a code C of message length n is the minimum distance between any pair of distinct codewords 
of message length n in C. 

The above-described code is simply called a (M(ra),n) 9 ( n )-code (or (M(n), n, d(ri)) q r n \-code if d(n) is 
emphasized). We may drop a length parameter n whenever we discuss a set of codewords for a "fixed" length 
n; for instance, write T and M respectively for r„ and M(n). 

Now, let us present three new quantum hardcore functions, two of which are unknown, at present, to be 
classical hardcores. These new quantum hardcores are (i) q-ary Hadamard codes, (ii) shifted Legendre symbol 
codes, and (iii) pairwise equality codes. We explain these quantum hardcores as codes and give polynomial- 
time quantum list-decoding algorithms for them. 

Theorem 2.3 Let p(n) and q{n) be any two functions mapping N to the prime numbers with q(n) S 
and n = |~logp(n)~|. The three functions HAD^ q \ SLS P , and PEQ, introduced below as classical block codes, 
are all quantum hardcore functions for any quantum one-way function f of the form f'(x,r) — (f(x),r) for 
any x and any r with \r\ = s(\x\), where f is an arbitrary quantum one-way function and s is a polynomial. 

1. The q(n)-ary Hadamard code FIAD^, whose codeword HAD^ 9 ' is defined as HAD^^r) = X)i=o 1 Xi ' 
n mod q{n). The distance d(HAD (9) ) is (1 - 1 / q(n))q(n) n . 

2. The pairwise equality code PEQ for even numbers »eN, which is a (2 n , n)i-code, whose codeword is 

PEQ x (r)=©^ EQ(x 2 iX2i+i,r2ir 2 i+i), whereEQ denotes the equality predicate (i.e., EQ(x,y) = 1 if 
x = y and otherwise) and © is the bitwise XOR. 

3. The shifted Legendre symbol code SLS P , which is a (p(n), 71)2- code with odd prime p(n), whose codeword 
SLS X is defined by the Legendre symbol as SLS^(r) = 1 if (^y) = — lj and SLS^(r) = otherwise. 

Earlier, Damgard ,11] introduced the so-called Legendre generator, which takes input (p(n), x) and produces 
a g(n)-bit sequence whose rth bit equals SLS^(r) for every index r € F p („), where p is a fixed polynomial. He 
asked whether his generator possesses the classical hardcore property (which is also listed as an open problem 
in 18J.) Theorem I2.3f 3) proves the "quantum" hardcore property of Damgard's generator for any quantum 
one-way function. 



3 How can We Prove the Quantum Hardcore Property? 

We shall outline our argument of proving the quantum hardcore property of a given function. To prove 
new quantum hardcores, we exploit the notion of quantum list-decoding as a technical tool. Our approach 
toward list-decoding is, however, complexity-theoretical in nature rather than information-theoretical. Our 
main objects of quantum list-decoding are "classical" block codes and their codewords, which are manipulated 
in a quantum fashion. 

•t-For any odd prime p, let I — I = if p\x, I — I = 1 if pj(x and x is a quadratic residue modulo p, and ( — ) = ~ 1 otherwise. 
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3.1 Quantum List Decoding 

In classical list-decoding, we are allowed to access a received word, which is a "classically corrupted codeword," 
given as an oracle and our goal is to produce a short list of message candidates that match the received word. 
Similar to the classical notion of a received word in coding theory, we introduce our terminology concerning 
an oracle that represents a "quantum-computationally" (or "quantumly" ) corrupted codeword that produces 
garbage information of £{n) size. For an immediate comparison to a quantum case, we use a more conceptual 
term "classically corrupted codeword" instead of the conventional term "received word" in the rest of this 
paper. 

Let us formulate a notion of quantum list-decoding and present a key theorem, Theorem l3.3[ which bridges 
between quantum hardcore functions and quantum list-decoding. 

Definition 3.1 (quantum-computationally corrupted codeword) We say that a unitary operator O 
represents a quantum-computationally (or quantumly) corrupted codeword if there exists a function £ mapping 
N to N such that, for any length parameter n € N, any index r G I n , and any element u e T„, the operator O 

Sclt lSflGS 

6|r)|u)|0* (n >) = J2 <*r,.\r)\u®8)\<f>r,,) 

for complex numbers a r ^ s with S s er„ |av,s | 2 = 1 f° r each index r € I n , and for unit vectors \4> r , s ) in a 
2 £ ( n )_dimensional Hilbert space, depending only on (r, s), where © is the bitwise XOR. Here, the parameter 
£(n) indicates the size of garbage information produced by O. Notice that O is a unitary operator acting on a 
Hilbert space spanned by the elements of Unew(^™ x x {0, l}^"-*). For convenience, we identify a quantumly 
corrupted codeword with its representing oracle and we simply call O a quantumly corrupted codeword. 

With the above notion, we shall describe a quantum version of a classical list-decoding problem. Let us 
recall that our target function C(x, r) is always expressed as an (M(ri),n, d(n)) g ( n )-code family C = {C x } x& z* . 

For the formulation of the quantum list-decoding problem, we introduce a notion of presence, which is a 
quantum analogue of a "closeness" -scale between a codeword and its quantumly corrupted codeword. More 
precisely, fix n £ N and i£S„ and consider the entity (1/M(n)) X)reJ l a ' , ,c x (r) | 2 (using the terms given in 
Definition 13. 1| . In comparison, let us review classical list decoding. For any given oracle O that represents 
a classically corrupted codeword and for any error bound e, a classical list decoder tries to output a short 
list consisting of all messages x for which the probability, over r £ 7„, that 0(r) equals C x (r) is at least 
1 — £ (namely, Prob re i„ [O(r) = C x {r)] > 1 — e). By setting p r>s = 1 if 0(r) = s and otherwise, the 
behavior of O can be viewed in a style of unitary operation as O|r)|0) = Y^rei P r ^\ r )\ s )- The aforementioned 
entity (1/M(n)) Ylrei \ a r,Cx(r)\ 2 equals the probability Piob r £i n [0(r) — C x (r)} in a classical setting. For our 
convenience, we name this entity the presence of C x in O and use the notation Pre^Cx) to describe it. 

Our task of quantum list-decoding of the code C is, given a quantumly corrupted codeword O for C and a 
size parameter n (as well as garbage size £(n) of O), to produce with success probability at least 5(n) a list of 
candidates x, all of which satisfy the condition Pre^C^) > l/q(n)+e(n), where e(n) is an error bias parameter 
and S(n) is a confidence parameter. For our application of quantum list-decoding to quantum hardcore, we 
need to deal only with quantumly corrupted codewords O of polynomial garbage size i. A "quantum list 
decoding algorithm" (or a "quantum list decoder" ) means a procedure of carrying out this task with the two 
parameters e and 5. 

Now, we formally define this notion as follows. 

Definition 3.2 (quantum list decoder) Let C be any (M{n), n) q ^ n ycoAe family, let e(n) be any error bias 
parameter and let 5(n) be any confidence parameter. Moreover, let I be any polynomially-bounded function 
from N to N. A quantum list-decoding algorithm for C with respect to (£,e,8) (or an (£,£,8) -quantum list- 
decoder) is a quantum algorithm (i.e., a unitary operator) T> that solves with success probability at least S(n) 
the following quantum list-decoding problem: 

Input: a message length n. 

Implicit Input: an oracle O representing a quantumly corrupted codeword of garbage size £(n). 
Output: a list of messages including all messages x € £„ such that Pre^C^) > l/q(n) +e(n); in other 
words, codewords C x have "slightly" higher presence in O than the average. For convenience, we call 
such a list a valid list. 
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If 2? further runs in time polynomial in [n, l/e(n), log 2 [1/ (1— <5(n))]) (if <5(n) = 1 then we treat 1/ (1—S(n)) as 
1 for notational convenience), it is called a polynomial-time quantum list-decoding algorithm for C with respect 
to (£,e,S). We also say that C is (£,e,6)- quantum list-decodable if C has an (£, e, <5)-quantum list-decoder. 

Now, we are ready to give our key theorem, Theorem l3.31 which serves as a driving force to develop a theory 
of quantum list decoding in the subsequent sections. Notably, Sections 0HS1 will be devoted to the construction 
of quantum list-decoders for each given quantum hardcore candidate. The first step is to establish a generic 
technique of constructing quantum list-decoders for "well-behaved" classical block codes. 

Theorem 3.3 Let C = {C x } x e£* be any (M(n), n, d{n)) q i n ) -code with a message space E* = U n eN which 
is polynomial-time computable, where log 2 M(n) € n *- 1 ) and log 2 q(n) £ . If, for any noticeabl^ function 
e(n) and any polynomially-bounded function £{n), there exist a noticeable function 5{n) and a polynomial-time 
(£,£, S) -quantum list-decoder for C, then C(x,r) is a quantum hardcore for any quantum one-way function 
f of the form f'(x,r) — (f(x),r) with \x\ = |~log 2 N(n)] and \r\ = |~log 2 M(n)~| , where N(n) = |S n |, and 
therefore C satisfies the quantum hardcore property. 

3.2 Quantumly Corrupted Codewords 

Through this subsection to the next two subsections, we shall explain how to prove Theorem l3.3l with a succinct 
justification of our notions of quantumly corrupted codeword, presence, and quantum list-decoding. 

Now, let C — {(£„, I n , r„)} nG N be any (M(n), n, d(n)) g („)-code family, where C is viewed as a collection 
of functions mapping £„ x /„ to r„ for each length parameter n € N. For simplicity, assume that p(n) = 
[log 2 M(n)~\ for a certain polynomial p. For every quantum one-way function /, we wish to prove that this 
function C(x, r) is indeed a quantum hardcore for the induced quantum one-way function /' of the form 
f'(x,r) = (f(x),r) with |r| = p(|a;|). For simplicity, we assume that all the elements in /„, £„, and T n are 
expressed in binary using an appropriate, simple, and easy encoding scheme. In the following argument, we fix 
an arbitrary quantum one-eay function. To lead to a desired contradiction, we first assume to the contrary that 
there exists a polynomial-time quantum algorithm A that approximates C x (r) from input (f'(x,r), 1") with 
success probability, over (x, r) G S„ x /„, at least l/q(n) + e{n) (where e(n) is a certain noticeable function); 
that is, Prob^ i ( a . :I ,)[^(/'(x,r), 1") = C x (r)] > l/q{n) + s{n). Thus, there are at least an e(n)/2-fraction of 
|S„| elements x € £„ satisfying that A(f'(x, r), 1") outputs C x (r) with probability at least l/q(n) +e(n)/2. 
Meanwhile, we fix such an x and let y = f(x). The final configuration of the quantum algorithm A on input 
((y, r), 1"), where r € I„ , can be assumed to be of the form: 

<Xy,r,C a (r)\r)\C x (r))\<j>y iri c a ( r )) + a V,r,s\r)\s)\<t>y,r,a) 

ser„-{c x (r)} 

for certain amplitudes ct v>r ^ s and ancilla quantum states \<j} x ,r,s) of £(n) qubits, where the second register 
corresponds to the output of the algorithm, where £(n) is a polynomially-bounded function. 

For the fixed string y, we pay our attention to the (restricted) algorithm A y (-) =def A(y, •). An implicit 
input to our quantum list-decoder is a quantumly corrupted codeword Oa v , of garbage size £{n), defined by 
a certain unitary transformation that satisfies the following necessary condition: 

6 Ay \r)\u)\tfW) = J2 a y ,r, s \r)\u®s)\^ r , s ) 
ser„ 

for every pair (r, u) of strings. This oracle describes computational error (not transmission error) occurring 
during the computation of C x by the (possibly) faulty quantum algorithm A. This type of erroneous quantum 
computation is similar to the computational errors (e.g., [Tl HI [51 124j) dealt with in quantum computational 
cryptography and quantum algorithm designing. Notice that the amplitudes {(Xy^r,s}r,s. in Oj± y satisfy that 
Sser l a y,i\s| 2 = 1 for each index r € /„. Since Oa v is a unitary operation, its inverse O^ 1 can be uniquely 
defined. 

We can freely access Ay (as well as O^ 1 ) by simply invoking a query, using three registers containing 
(r,u). Upon an oracle call, the oracle is automatically applied to the three registers and all the contents of 
these registers are modified at the cost of unit time. 

§A function fi from N to R is said to be noticeable if there exists a positive polynomial p such that )J,(n) > l/p(n) for any 
sufficiently large number n£N. 
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3.3 Presence and List Size 

To lead to our desired contradiction, we need to invert the function f(x) by extracting x from the aforemen- 
tioned quantumly corrupted codeword Oa v in time polynomial in 

Before proceeding our proof further, we make a close look at the presence notion. For our quantumly cor- 
rupted codeword Oa v for a target codeword C x , its presence Pre^ (C x ), whichis (1/M(n)) X^rein \ a y,r,C x (r)\ 2 > 
coincides with the probability that the algorithm A successfully computes C x {r) from (y,r). From our as- 
sumption, it holds that Preg (C x ) > l/q(n) + e(n). 

From a slightly different view point, we can argue that the presence notion is indeed an extension of relative 
(Hamming) distance. This will be used in the proof of Lemma 13.41 Let v denote a classically corrupted 
codeword. We can view v as a binary vector in the q(n)M(n)-dimensional space, in which the rth block v[r] 
of v is of the form I_1 10 9 ( Il * ,_l for a certain index i £ [?(^)], where r £ M(n). Using this new representation, 
the relative (Hamming) distance between two classically corrupted codewords v and w equals the £i-norm 
\\v — u;||i = J2re[M(n)] \\ v [ r ] ~ w [ r }\\- Similarly, for a quantumly corrupted codeword Vq a that the oracle 

Oa v represents, can be viewed as the real vector in the g(n)M(n)-dimensional space, in which Vq a [r] 

is (|a r! o| 2 , |a?\i| 2 , ■ ■ ■ , \<x r ,q{n)-i | 2 )- The presence Pre^ (C x ) now indicates the £i-norm between Vq and 
a codeword C x , extending the classical notion of distance. We then obtain \\Vq — C x \\i > l/q(n) + e(n). 
Therefore, if we can find all elements x' satisfying Pre^ (C x /) > l/q(n) + £(n), at least one of them must 
satisfy f(x') = y. 

Because no quantum list-decoder can output a valid list of super-polynomial size in polynomial time for the 
quantumly corrupted codeword Oa , there is an important question to answer: how many messages x satisfy 
the required inequality Pre^ {Cx) > l/<?( n ) + e(ti)? We want to show an upper bound of the number of 
codewords that have relatively high presence in a given quantumly corrupted word. For our proof, we employ 
a proof method of Guruswami and Sudan |20j , who gave a q-axy extension of Johnson bound using a geometric 
method. 

Lemma 3.4 Let n be any message length. Let e(n), q(n), d(n), and M(n) satisfy that e(n) > k(n) =def 
(1 — l/q(n)) yl — d(n)/M(n) (1 + \/(q(n) — 1)). For any (M(n),n,d(n)) q ( n ycode C and for any given quan- 
tumly corrupted codeword O, there are at most 

r i \ ■ f mri \i i \ i\ d(n)(l-l/q(n)) 

Je,q,d,M(n) = def mm <^ M(n){q(n) - 1), — \ ' y v " 

\ M(n)£ 2 (n) + (1 - l/q(n)) [d(n) - M(n) (1 - l/q(n))\ _ 

messages x € E„ such that Vk^Cx) > l/q{n) +e(n). If e(n) = k(n), then the above bound can be replaced 
by 2M(n)(q(n) - 1) - 1. 

The proof of Lemma l3.4l is in essence a simple modification of the proof in [20] ; however, for completeness, 
we include the proof of the lemma in Appendix. As a quick example, we present the value J e ,q,d,M{n) for a 
(<?", n, q n — q n ~ 1 ) q Hadamard code. 

Example: Hadamard Codes. Consider an (M(n), n, d{n)) q ( n ) Hadamard code HAD^ = {HAD x q ^} xe ^* 
with M(n) = q(n) n and d(n) = (1 — l/q(n)) M(n). Assume that our bias parameter e is non zero (i.e., e(n) > 
for all n G N). Lemma 13.41 guarantees that, for any quantumly corrupted codeword O, the number of 
codeword candidates that satisfy the inequality Pre^ (HAD^ 9 - 1 ) > l/q(n) + e(n) is at most 



d(n)( 


1 9(«), 




M(n)e(n) 2 + 


V 1 ?(«) 


) 


d(n) - 







q(n) J e(n) 2 

In particular, if there exists a positive polynomial p satisfying e(n) > l/p(n) for all n£N, there are only at 
most (1 — 1 / q(n)) 2 p(n) 2 codeword candidates. 

3.4 Applying a Quantum List Decoder 

Let us return to our proof of Theorem 13. 31 By the premise of the theorem, there exist a noticeable function <5 
and a polynomial-time (£, e, <5)-quantum list-decoding algorithm D for C x {-) with certain noticeable probability, 
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say S(n). 

For simplicity, we assume that, for each oracle access, our quantum list-decoder D uses its last three 
registers |r)|it)|i), in which the last register holds a quantum state of polynomially-many qubits. 

Since the garbage size £(n) of Oa v is polynomially bounded, we can assume that, after an oracle call, the 
oracle Oa v (° r hs inverse O^ 1 ) is automatically applied to the last three registers of D with a unit cost of 
time. For convenience, the last register is assumed to hold only Os at the beginning of the computation. 

With oracle access to this oracle Oa v (as well as its inverse O^ 1 ), our quantum list-decoder D can produce 
with probability at least 5(n) all possible candidates x' that have the required presence Pre^ {C x i) of at 

least l/q(n) + e(n)/2. As seen before, at least one of these candidates lies in the pre-image f~ 1 {y). Since we 
can check whether f(x') = y in polynomial time, it suffices for us to output one of such elements x' . This 
implies that, for at least (e(n) /2)\Y, n \ elements x, we can find x' in polynomial time such that f(x') = f(x). 
Our quantum list-decoder D therefore gives rise to a polynomial-time quantum algorithm that inverts / on a 
noticeable fraction of inputs x with noticeable probability. This clearly contradicts the quantum one-wayness 
of/. 

Therefore, the quantum hardcore property holds for C and this completes the proof of Theorem 13.31 



4 Key Roles of Quantum Codeword-State Decoders 

How can we prove the quantum hardcore property of our target quantum hardcore candidates? As outlined in 
Section [21 our goal is to construct a polynomial-time quantum list-decoder for each of the target candidates. 
Theorem 13.31 gives a sufficient condition to prove the quantum hardcore property of any given code C. It is 
therefore enough for us to design a quantum algorithm that solves the quantum list-decoding problem for C 
with high probability in polynomial time. Our task in this paper is now fixed to find a generic way to construct 
a polynomial-time quantum list-decoder for a wide range of classical block codes. Notice that it seems hard 
to design classically such list-decoding algorithms. Let us introduce a central notion of k-shuffled codeword 
states, which is a unique quantum state encoding all information on a given codeword. 



4.1 Quantum Codeword States 

Hereafter, we assume the basic arithmetic operations (multiplication, addition, subtraction, division, etc.) 
on a finite field ¥ q of order q. When q is a prime number, ¥ q can be identified with the integer ring Z/gZ 
whose elements are written as 0, 1, 2, . . . , q — 1. For convenience, let F+ stand for ¥ q — {0}. The notation 
Z g denotes the (finite) additive group whose elements are 0, 1, 2, . . . , q — 1. Moreover, we write [m,n]z = 
{m, m + 1, m + 2, . . . , n} for any two integers m, n € N with m < n and, in particular, let [q] = [1, q]z for any 
integer q > 1 in the rest of this paper. Finally, we denote by u> q the complex number e 27rc ' q , where e is the 
base of natural logarithms and l = \J — 1. 

Definition 4.1 (shuffled codeword state) Let C — \Cx\xe?,* be an Y [M(n),n) q t n -s-code family with a 
message space E* = (JneN ^™ ana - a seT ^ es {4}n£M of index sets. Let k be any element in F+, A k-shuffled 
codeword state for the codeword C x that encodes a message x £ £„ is the quantum state 



1^) = -7fff=, E 



U) , s \r) 



re I, i 

In particular, when k = 1, we use the simplified notation \C X ) for \C X ). 

A robust nature of quantum computation enables us to prove that, as long as we have a decoding algorithm 
A from a shuffled codeword state, we can construct a quantum list-decoder by calling A as a black-box oracle. 
The notion of such codeword states plays a central role as our technical tool in proving new quantum hardcores. 

The reader may be aware that our notion of codeword states is not anew; the codeword states for certain 
binary codes have already appeared implicitly in several important quantum algorithms. For instance, Grover's 
search algorithm [19] produces such a codeword state after the first oracle call. In the quantum algorithms of 
Bernstein and Vazirani [7] , of Deutch and Jozsa [13] , and of van Dam, Hallgren, and Ip [29) , such codeword 
states are generated to obtain their results. All these quantum algorithms hinge at generating codeword states. 
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Our task is to recover x with reasonable probability from each fc-shufHed codeword state \C X )■ Any 
quantum algorithm that completes this task is succinctly called a codeword-state decoder. We formally define 
the quantum codeword-state decoders. 

Definition 4.2 (quantum codeword-state decodability) Let rj G [0,1]. A classical (M(n), n)q(n) -code 
family is said to be rj-quantum codeword- state decodable if there exists a quantum algorithm that, on input 
n G N and k G as well as \C x k ^), recovers x with success probability at least r\. Such an algorithm is 

simply called an rj-quantum codeword-state decoder. 

Let us prove the following key theorem, which helps us convert quantum codeword states into quantum 
list-decoders. The following theorem, Theorem l4.31 which is general but slightly technical, shows how we can 
convert a codeword-state decoder T> for a given code C into a quantum list-decoder B for C that produces 
a valid list of appropriate size. Under a certain condition, we can make this quantum list-decoder to run in 
polynomial time. 

Recall the definition of J e ^ qj d,M{n) given in Lemma 13.41 Note that J e ^ q ^d,M( n ) — 2M(n)q(n). In the 
following, "e" stands for the base of the natural logarithm. 

Theorem 4-3 Let C — {C x } xe ^* be any {M(yi),n,d(n)) q t n \-code. Let e and S be any two nonnegative 
functions with < e{n) < 1 and < 5{n) < 1 for all numbers n G N. Let I be any polynomially-bounded 
function from N to N. If there exists a (1 — v(n))- quantum codeword- state decoder T> for C with 1 — u(n) > 
yl - r] e (n) 2 for a certain function v{n) from N to [0, 1], then there exists an (I, e, S)-quantum list-decoder B 
for C with oracle access to O such that B produces a list of size at most 

«(») - 1 Ax / A , 1 \ 

1 - v{ri) - a/1 -r/ £ (n) 2 V 1 - <H n ) J 

where rj e {n) = (q(n)/(q(n) — l))e(n) and the query complexity (i.e., the total number of queries to O as well 
as O^ 1 ) is at most twice as many as the list size. Moreover, letting o~{n) = 1 — u(n) — \/l — rj E (n) 2 , ifT> runs 
in time polynomial in (n, q(n), log 2 M(n)) and a is a positive-valued function whose reciprocal (i.e., l/a(n)) 
is polynomially-bounded in (n, q(n), log 2 M(n), l/e(n), log 2 (l/(l — 8{n)))) from above, then B runs in time 
polynomial in (n, q(n), log 2 M(n), l/e(n), log 2 (l/(l — S(n)))). 

Combining Theorem 14.31 together with Theorem 13. 3i we can establish a direct connection between the 
existence of polynomial-time quantum codeword-state decoder for a code C and the quantum hardcore property 
of C. 

Corollary 4-4 Let s be any negligible function mapping N to the interval [0, 1]. Let C be any (M(n),n) q r n )- 
code family with log 2 M(n) G and q(n) G n ^. Let S(n) = 1 — 2~" for every number n G N. If there 

exists a polynomial-time (1 — s)-quantum codeword- state decoder for C, then, for any noticeable function e 
and any polynomially-bounded function £, there exists a polynomial-time (£, s, 8)-quantum list-decoder for C . 
Hence, C satisfies the quantum hardcore property. 

Proof. Let s be any negligible function and let T> be a polynomial-time (1 — s)-quantum codeword- 
state decoder for an (M(n), n) g r n )-code family C. Define 6(n) = 1 — 2~™ for any n G N + . Note that 
log 2 (l/(l — S(n))) = log 2 2" = n. Let e be any noticeable function. Let f] e (n) = (q(n)/(q(n) — l))e(n). By 
the definition of noticcability, there is an appropriate positive polynomial p' such that e(n) > l/p'(n) for any 
sufficiently large n G N. To apply Theorem 14.31 we need to show that a(n) = (1 — s(n)) — a/I — r/ E (n) 2 is 
a noticeable function (in n), because the functions log 2 M(n), q(n), l/e(n), and log 2 (l/(l — S(n) j) are all 
polynomially bounded in n. Fix any sufficiently large number n in N so that the following argument always 
holds. Since s is a negligible function, it follows that s(n) < 1/Ap'(n) 2 . Using the inequality a/1 — x < l — x/2, 
we obtain 

tr(n) > 1 - s(n) - y/l - e{n) 2 > 1 - 1 - ( 1 - - ] ) = - ) 

Since n is arbitrary, a is clearly a noticeable function, as requested. By Theorem 14.31 we then obtain an 
(£, e, <5)-quantum list-decoder for C running in time polynomial in n. □ 
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4.2 Proof of Theorem I4T31 



We shall prove our key theorem, Theorem 14.31 The lemma will be proven in two stages. In the first stage, 
we present how to generate a quantum state \C X ) from each quantumly corrupted codeword O for C x . In the 
second stage, we show how to list-decode x from \C X ), using a given codeword-state decoder for C. These 
stages give a desired quantum list-decoder for C. 

As the first step, we shall show how to generate the fc-shufned codeword state \C x k ^) for each g-ary codeword 
C x with oracle accesses to a quantumly corrupted codeword O. It is rather straightforward to generate the 
quantum state \C X ) from the oracle Oc^ that represents C x without any corruption (behaving as the "standard" 
oracle). Using O, however, it seems difficult to produce \C X ) with relatively high probability. In Lemma T4. 51 
loosely speaking, for a certain constant k > 0, we can produce in polynomial time a quantum state of the form 
\k) \C X ) \t) from an initial state of the form |fc)|0 m )|0)|0 f ) with relatively good probability (if the presence 
Pre^Cr) is far away from l/q(n)). Moreover, we claim that there exists a "generic" quantum algorithm that 

generates |fc)|Cjr )|t) zfor any g-ary code C. 

Lemma 4-5 Let C be any (M(n),n) q ( n ycode family with a message space E* = (J neN £„, where q(n) is a 
prime number for every n G N. Let m be any function from N to N. There exists a quantum algorithm A 
that, for any message length neN, for any quantumly corrupted codeword O with garbage size £(n), for any 
message x G S„, and for any k G ^^ n y generates the quantum state 

\^ k ) = 4 k) \k)\C x k) )\r) + \A^) 

from the initial state \ip^) — |fc)|0^ log2 M (")l)|0)|0^™)) with only two queries to O and 6 -1 , where \t) is a 
fixed basis vector, and n x k ^ is a complex number, and |Ax^) is a vector satisfying ((k\ (C x k) | (r|)| A { x k} ) = 
with the following condition: for every x G £„, there exists an element k G ^( n ) with the inequality \k x \ > 
(q(n)/(q(n) — 1)) \PreQ(C x ) — l/q(n)\. Moreover, A runs in time polynomial in (n, log 2 q(n), log 2 M(n)). 

Lemma T4.5I provides a generic way of generating a fc-shuffled codeword state \C X ) from O. When q = 2, 

the bound of Ik^I m Lemma H751 matches the bound of Adcock and Cleve pQ. 

Now, we give the proof of Lemma 14.51 Notice that the lemma is true for any g-ary code. The binary 
case (q = 2) was discussed implicitly in pQ; however, our argument for the general <?-ary case is more involved 
because of our "fc-shuffledness" condition. 

Proof of Lemma 14.51 Since q(n) is a prime number, we use {0,1,2, ... ,q(n) — 1} as the elements of 
^q(n)- We assume the premise of the theorem. Let C be any (M(n), n) q ( n ycode family with message space 
S* = lJ n6N I]„, index sets {/ n }neN, and code alphabets {T„}„ e N. Note that M{n) — |7„|. Let O be any 
quantumly corrupted codeword of garbage size £(n) for C, where I is an arbitrary polynomially-boundcd 
function. First, we describe our quantum codeword-state generation algorithm A in detail. Fix n € N, 
x G £„, and k G ^q< n ) m ^ ne following description. For simplicity, we drop the script "n" and also let 
m = [log 2 M~\. 



Quantum Algorithm A: 

(1) Start with the initial state |^ 0) ) = | fc> |0> |0> |0^>. 

(2) Apply the quantum transform |0) — » {1/Vm) Y^rei l r ) ^° ^ ne secon( i register, and we obtain the super- 
position 

(3) Invoke a query to the oracle O using the last three registers. The resulting quantum state is 
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(4) To obtain a fc-shufned codeword state, we need to transform \k)\r) — » u>^' r \k)\r) . This transform can 
be realized by the following series of simple transforms: |fc)|r)|0) — > |fc)|r)|fc • r mod q) — ► u>g' r |fc)|r)|fc • 
r mod g) — > Wg' r |fc)|r)|0). We then obtain the quantum state of the form 

l^i 3) ) = iEE < z « r , z |fc)|r)| 2 )|0 r , z ). 

* r£/„ zeF, 

Since this step encodes the information on the first and the third resisters into the "phase" , for later 
convenience, this step will be referred to as phase encoding. 

(5) Apply the inverse oracle O" 1 to the last three registers and denote the resulting state (7® _1 )|^. ) by 
IV'i )• When the oracle is called, the last three registers are changed in a unit time. The final state IV'fc 4 '') 
can be expressed in the form K {k) \k)\C { x k) )\T) + \A x k) ), where |t) = \0)\0 e ) and ((k\(C x k) \(T\)\A x k) ) = 0. 



The execution time of A is clearly upper-bounded by a certain polynomial in (n, log 2 q, log 2 M). Now, we 
want to calculate the amplitude k x . First, we note that 

{I®6)\k)\C^)\r) = -L J2 E < C * (r V#)|r)|z)|^). 

We denote the above state by the quantum state by \ip'). Therefore, we have 

4 fe) = «fcKCW|(r|)((/<8 0- 1 )|4 3) )) = (^JV'f) 
1 

M 



iEEr- (r)) i«vi 2 



The non-trivial part of our proof is to show a lower-bound of Notice that a different proof appeared 

in [26]. By summing n x k ^ over all k G F+, the term X)fceF+ 1^ I is lower-bounded by 



Eh 



> 



E m E E -•.< 

fe£F+ re/„ z£F, 



W fc(»-C.(r))| aj . 12 



We introduce a notation. For each value j G F g , write /3j for the term (1/M) 2r6J l a ^,c x (r)+j| 2 - Note that 
/?o = Pre^Ca;) and 1 — flo = J2j e¥ + flj- Using this /3j- notation, we have 



E E <^ 



^ "po + e * + • • • + E 4 q ~ 1)k ^ 



ke¥7, 



(<? - l)(3o - fa 

J6F+ 

= |( 9 -l)Pre 6 (C a )-(l-Pre 6 (C7 x ))| 
- |g-Pr e(5 (C.)-l|. 

Hence, we obtain (l/(q — l))X)fceF+ I — (VG? ~~ ' P rc o(Ci) ~ 1|< This implies that there exists a 
number k G F+ for which 



>^ile- Pre o(^)-il = ^i 



Pie (C x ) - - 
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This completes the proof. 



□ 



Finally, we prove Theorem 14.31 

Proof of Theorem 14.31 We assume that there exists a (1 — ^)-quantum codeword-state decoder T> for C 
with 1 — v(n) > y/1 — n E (n) 2 for every number n G N, where r] E (n) = (q(n)/(q(n) — l))e(n). Fix n G N. Since 
T> is a (1 — ^)-quantum codeword-state decoder for C, for each x G S n and k G ^g( n )i ^ outputs x from 

the fc-shuffled codeword state \C& ) with probability at least 1 — v{n). Let O be any quantumly corrupted 
codeword for C. Given O as an implicit input, we consider the following algorithm B that can solve the 
quantum list-decoding problem for C with probability at least 5(n). Let A denote the quantum algorithm 
given in Lemma 14.51 

For notational readability, we omit the script "n." Write a for the value 1 — v — y/l — rj 2 . Initially, set 
k = 1 in the algorithm B. 



Quantum Algorithm B: 

(1) Starting with |0 m ), run the algorithm A to obtain the quantum state \ipk)- 

(2) Apply the algorithm T> to the second register of \ipk) using an appropriate number of ancilla qubits, say 
m. We then obtain the state V\tp k )\O m ). 

(3) Measure the obtained state and add this measured result to the list of message candidates. 

(4) Repeat Steps (l)-(3) \{{l/a){log e J e , q , d , M (n) + log e (l/(l - 5)))] times. 

(5) Repeat Steps (l)-(4) by incrementing k by one at each repetition until k = q — 1. Finally, output the 
list that is produced. 



For our convenience, we abbreviate as B e the set {x G £„ | Pre0(C x ) > 1/q + e}. Lemma l4~5l implies that, 
for every element x S B e , there exists an index k S F+ such that \kx | > r h- By letting X^ — {x G B e \ 
\Kx\ > Tj s }, we immediately obtain B e = UfceF + -^b^ ■ We claim that the algorithm B satisfies the following 
properties. 

Claim 1 Letke¥+. 

(1) Let x G Xg . With probability at least a, we can observe x when measuring the quantum state obtained 
after Step (2) in the computational basis. 

(2) If we proceed Steps (l)-(3) |~((l/cr)(log e \Xg | + log e (l/(l — £)))] times for the same index k, then we 

(k) 

obtain a list that includes all messages in X B with probability at least 5. 

Let us prove Claim [T] The trace distance \\p — er|| tr between two quantum states p and a is defined to be 
Tr^J (p — o~)(p — er)t . In particular, for two pure states \cj>) and \ip), the trace distance between them can be 
calculated as — |^>)(V>|||tr = 2-y/l — |(^|^)| 2 . For two (probability) distributions D\ and D2 over £„, 

the Li-norm (or the total variation distance) \\D± — -D2II1 is defined as X^es \Di(x) — D-z(x)\, 

Proof of Claim CD We fix k G F+ arbitrarily. 

(1) Choose any element x G Xg \ Denote by p k {x) the probability of observing x at Step (3) during round 
k. Our goal is to show that p k {x) > a. For simplicity, let \<j> x , h ) = \k)\C { x k) )\T)\O m ) and \$ k ) = \4> k )\0 m ). The 
trace distance between two pure states T>\ip k ) and D\<p Xik ) equals 

\\v\4> x , k ){4>x.k\^ - v\i) k )$ k \tf\\ tt = |||<^ )fe )(<M - |^)(^fe|||tr = 2y/i-\(<t> x Mj>k)\ 2 = 2\fi-\ K £ ) \ 2 . 
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Let Dk(y) and D Xi k(y) be the probabilities of obtaining y £ £„ by measuring the states T>\ipk) and 
f|0a;,fc), respectively, in the computational basis. Note that pk{x) equals D k (x). Since the total variation 
distance between D k and D x ^ is at most the trace distance between |/c)|Ci/ C '')|T) and \ipk), it follows that 



\\D h - D x ,kh < IWfa.kKfaMrt - ©|4){4l^ f l|tr - 2^1 -\ Kx k) i 2 . 

Moreover, we claim that \\D k — D Xt k\\i > 2(1 — ^ — D k (x)). This is shown as follows. First, we note that 
\\Dk — -Dfc,x||i is lower-bounded by 

IPfe-^felli = 



D k (x) -D x . k {x)\ + \D k {y) - D x , k {y)\ 

y:y=£x 



> \D k (x) -D x , k {x)\ + 
since E ae s„ ^h{y) = E ye s„ D x,k{v) = L We then obtain 



My) - E D --*(y) 

y:y=£x W-y^x 



2\D k (x) - D x>k (x) 



\D k -D x uh > 2 



Dfe^)-^^) >2(l-i/-D fc (x)). 



The above two bounds on \\D k — D kjX \\i yields the following inequality: 



l-v-D k {x) < V1-|kx 



,W|2 



which immediately implies 



since \k x \ > r\ e . Therefore, we conclude that Pk(x) > a, as requested. 

(2) Assuming that Steps (l)-(3) for the same index k are repeated t times to create a list including all 
the elements in X^\ we wish to prove that t > ((l/cr)(log e \ + log e (1/(1 — 5))). This gives the desired 
bound since \Xg \ < J e , q ,d.M( n )- Note that we obtain x £ Xg through these steps with probability at least 
a. This implies that, for each fixed element xq £ X^\ the probability of obtaining no xq within t samples is 



D k (x) >l-v-Jl- |«i fc) |2 > l _ v - V /T — = a 



upper-bounded by (1 — a) 1 . Therefore, with probability at most |Xg |(1 — a) 1 , there exists an i £ Xg> for 
which t samples does not contain x. 

(k) 

Since the probability of obtaining the desired valid list is at least 5, we demand the condition that \X B |(1 — 



ay < 1 — 5; equivalcntly, 



1 



t log e > log e \X { £ | + log e r _ fi . 

which yields the desired bound 

f >i(to ge |x£>|+log Br ^) 

because log e (l/(l — a)) is lower-bounded by 

1 °° a 1 

log e J— - = - logel 1 - °) = Yl — - °- 

t=l 

This completes the proof of the claim. 



1 



Claim [T] guarantees that, since \X 



Mi 



< \B E \ < J £ 



e,q,d,M 



(n), for all indices k £ F+, if we run Steps (l)-(4), 



then we obtain a list containing all the elements in B e with probability at least 5. Note that, at Step (3), we 
add only one element into our list of candidates. Hence, the size of the list generated by B is at most q(n) — 1 
times |~((l/cr)(log e \B e \ + log e (1/(1 — S)))~\. It is obvious that the total number of queries is at most twice as 
many as the list size. □ 
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5 Nearly Phase- Orthogonal Codes 



Through Sections [3HH we have developed a solid foundation for the proof of our main theorem, presented in 
Section^ concerning the quantum hardcore property of three classical block codes. In this section, we shall 
target two codes, q-aiy Hadamard codes and pairwise equality codes, which share a common feature, called 
nearly phase-orthogonality. The proof of their quantum hardcore property will exploit this feature. 

5.1 Nearly Phase-Orthogonality 

Now, we want to introduce a family of nearly phase-orthogonal codes. Let us first recall that, for any 
(M(n), n)g( ra )-code family with a message space S* = U neN S n and a series {/ n }nGN of index sets, a k- 

shuffled codeword state for a codeword C x that encodes a message x S S n is the quantum state \Ci ) — 

Definition 5.1 (nearly phase orthogonality) Let r\ be any function from N to the unit real interval [0, 1]. 
We say that a classical block (M(n), n) 9 („)-code family C with a message space £ = IJ„ gN E n is said to be li- 
nearly phase-orthogonal if \{C x k ^\C y k ^)\ < r/(n) for any number n £ N, any element k £ ^( n )i an( i an y message 
pair x, y £ S n with x ^= y. In particular, any 0-nearly phase-orthogonal code is called phase orthogonal. 

Notice that, since fc-shuffied codeword states are pure quantum states, the value \(C x k ^ \Cy k ^}\ coincides 
with the fidelity F{\C [k) ), |cf°)) of \C { x k) ) and |C$*°>. 

The Hadamard code Had (<?) is an example of phase-orthogonal code and its phase orthogonality plays 
an important role in the proof of the quantum hardcore property of HAD^ 9 -* in Section 15.21 In general, the 
phase-orthogonality of an (M(n), n) g („)-code family C with a message space E* = U neN S n implies that, for 

each pair (n, k) £ N x ^i n y the set {|Cq^), \C^) 1 . . . , (C^L j)} forms an orthonormal basis of an N(n)- 

dimensional Hilbert space, where N(n) — |E n |. Note that, since a quantum hardcore C(x,r) requires the 
condition that \r\ — poly(\x\), it suffices to consider only (M(n), n) g („)-codes C that satisfy the inequality 
M(n) > N(n). For any binary code, in particular, its phase-orthogonality can be naturally induced from the 
standard inner product of two codewords when we translate their binary symbols {0, 1} into {+1, — 1}. 

An immediate benefit of the phase-orthogonality is explained as follows. If a code C = {C K } xe s» is phase- 
orthogonal, then we can strengthen Lemma 14.51 so that we can isolate simultaneously all individual messages 
x. Moreover, a nearly phase-orthogonal code C can provide a lower bound on the (Hamming) distance of C . 

Proposition 5.2 Let C = {C x } x6 e« be any (M(n),n,d(n)) q ( n ycode. Let rj be any function such that < 
r](n) < 1 for any number n 6 N. If C is rj-nearly phase-orthogonal, the distance d(n) is lower-bounded by 
(1 — rj(n))M(n)/2 for every length n. 

Proposition 15.21 can be obtained from the following lemma, which relates the fidelity FQC^}, \Cy k ^)) to 
the relative Hamming distance A(C X , C y ). The proof of the lemma is found in Appendix for readability. 

Lemma 5.3 For any pair (C x ,C y ) of codewords in a given (M(n),n,d(n)) q / n ycode C and for any index 

ke¥+, 

F(\CW),\CW))>l-2A(C x ,C y ), 
where the equality holds for any binary code C . 

Let us explain how to prove Proposition 15.21 from Lemma [5731 Let C be any (M(n), n, d(n)) g r n ycode 
that is ?7-nearly phase-orthogonal. From this nearly phase-orthogonality, the function r\ satisfies that 77(71) > 
I (C x k ^ \C y k ^) I for all parameters k, x, y with x 7^ y. Apply Lemma l5T51 and we obtain n(n) > l—2d(C x , C y )/M(n), 
from which we conclude that d(C x ,C y ) > (1 — rj(n))M(n)/2. Because d(n) is the distance, it follows that 
d(n) > d(C x , C y ) > (1 — r/(n))M(n)/2. This completes the proof of Proposition 15.21 
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5.2 Proof of Theorem [222(1-2) 

How can we prove Theorem l2.3l ? As we have discussed in Sections [3j-|4j with help of Theorem l3 . 31 and Corollary 
14.41 we can prove the quantum hardcore property of each function, given in Theorem 12.31 by constructing 
its polynomial-time (1 — s)-quantum codeword-state decoder with a certain negligible function s. In this 
subsection, we target two code families: g-ary Hadamard codes HAD*- 9 - 1 and pairwise equality codes PEQ. Our 
quantum codeword-state decoders for these codes are obtained by exploiting their nearly phase-orthogonality. 

For our proof, we assume the following limited form of quantum Fourier transform F n , over a finite additive 
group Z n , running in time polynomial in n: for any element s € Z„, 

V rGZ„ 

For a more general form of quantum Fourier transform over a finite field F„, see, e.g., [29 , where the following 
statement is proven: for any prime power q, F q can be approximated to within error e in time polynomial in 
(log 2 g,log 2 (l/e)). 

Proof of Theorem I2.3T 1-2) . It suffices to provide a negligible function s and a polynomial-time (1 — s)- 
quantum codeword-state decoder for each of the given codewords C in Theorem l2.3f 1-2). From such a decoder, 
by Theorem l4.41 we can construct a polynomial-time quantum list-decoder for C. Theorem l3 . 31 then guarantees 
the quantum hardcore property of C. In our case of HAD (<z) and PEQ, we can utilize their phase-orthogonality 
and build a polynomial-time (1 — 2~")-quantum codeword-state decoder for them. 
Now, fix n G N and omit "n" for readability. 

(1) The simple case q — 2 was implicitly proven by Adcock and Cleve [1] and also by Bernstein and Vazirani 
[7]. Consider the general case q > 2. Obviously, HAD^ 9 - 1 is polynomial-time computable. Now, we intend 
to show that HAD*- 9 -* is (1 — 2~™)-quantum codeword-state decodable. Let |HAD^ 9 - ) ) be a codeword state. 
Consider the quantum Fourier transform F q over ¥ q . To recover x from the codeword state |HAD < - 9 - ) ), we note 
that 

F q \x) = ± £ <» = ^=E ^ AD " (r V> = lHADi 9 )). 

Hence, apply the inverse of F q to |HADi 9) ) and we immediately obtain \x) with probability 1. Since q is 
an arbitrary prime number, we may not simulate F q exactly. Instead of applying F q , however, we can use 
its approximation whose approximation error is exponentially small. Therefore, we conclude that HAD^ 9 - 1 is 
indeed (1 — 2~ n )-quantum codeword-state decodable, as requested. 

(2) We want to prove that PEQ has a polynomial-time (1 — 2~™)-quantum codeword-state decoder. We 
first observe the following key equation: 



|PEQ.(r)> = J=£(-irQ^>|r> 

= -j= J2(-^) EQ{XlX2 ' rir2) \rir2)®---®^ J2 (-l) EQ( ^- lW "- ir " ) K-irn>- 
ri,T"2 r n —i,r n 

Let us consider the following unitary transform He, which we call the circulant Hadamard transform: 

/ll 1 1 \ / -1 \ 

i ii i I ./n innl 




where F4 is the quantum Fourier transform over F4. Since He satisfies the equality 

I \ E (-l) EQ(X<Xi+1 ' nn+l) |W+l) I = \XiX i+1 ), 
V ri,r i+ i 
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we can obtain \<j>) — \x1X2) <8> ■ ■ • <8> \x n ~ix n ) from the codeword state IPEQ^) by applying U = H® n ^ 2 . Using 
an approximation of -F4, we can simulate the unitary operator He with exponentially small error. Finally, from 
the quantum state \<j>), we can easily deduce x. Therefore, we obtain a polynomial-time (1 — 2~™)-quantum 
codeword-state decoder for PEQ. □ 



5.3 Query Complexity of Quantum List-Decoders 

Whereas any known classical list-decoder for a g-ary Hadamard code needs a polynomial number of queries 
per each message candidate, our quantum list-decoder constructed in the previous subsection requires only 
two queries. For more general nearly phase-orthogonal codes, we shall show that these codes have quantum 
list-decoders that make a significantly small number of queries to a given quantumly corrupted codeword. 

Theorem 5.4 Let C — {(S n , I n , r n )} ne s be any (M(n),n) q ( n ycode family and assume that q(n) G 
and log 2 M(n) € . Let n be any function from N to the unit real interval [0, 1] and assume that n(n) |E„| 
is a negligible function. If C is rj-nearly phase- orthogonal, then there exists a guantum list- decoder for C whose 
guery complexity is propotional to the size of its output list. 

The proof of Theorem [53] requires the following technical statement on nearly phase-orthogonal codes. We 
show that certain types of nearly phase-orthogonal codes are indeed quantum list-decodable with low query 
complexity. 

Proposition 5.5 Let C be any (M(n),n) q ( n ycode family with a message space £* = UneN^w 
N(ri) — |S„| for each length n. Let e, S, and r) be any three functions from N to the real interval [0,1], 
and also let 7/(71) — rj{n)N{n) and T) e (n) — (q(n)/(q(n) — l))e(n) for every number n £ N. Let £ be any 
polynomially-bounded function from N to N. Assume that 77' is a negligible function. Assume that there 
is a positive-valued function a for which its reciprocal is upper-bounded by a certain positive polynomial in 
(n, q(n), log 2 M(n), l/e(n), log 2 (l/(l — 5(n)))) and it also satisfies 1 — T]'(n) — o~(n) > \J\ — rj £ (n) 2 for every 
number n£N. If C is rj-nearly phase- orthogonal, then C is (£, s, 5)-guantum list-decodable with list size poly- 
nomial in (n, <?(n), log 2 M(n), l/e(n), log 2 (l/(l — 5(n)))) and query complexity is at most twice as many as the 
list size. 

We delay the proof of this proposition and quickly prove Theorem 15.41 With help of the proposition, the 
proof of this theorem is similar to that of Theorem 13.31 



Proof of Theorem 15.41 Let C = {(E„, /„, r„)}„ e N be any (M(n), n) q ( n ycode family. Write N(n) — |S n |. 
For any number n G N + , define S(n) = 1 — 2~™, which implies log 2 (l/(l — S(n))) — n. Let e be any noticeable 
function from N to [0, 1]. Take a positive polynomial p and assume that e(n) > l/p(n) for all numbers n 6 N. 
Let 77 be any function such that rj'(n) = n(n)N(n) is negligible. Since i]' is negligible, it follows that, for all 
sufficiently large numbers n, r]'(n) is upper-bounded by l/4p(n) 2 . 

Let us define a as c(n) = 1 — rf(n) — \/l — n e {n) 2 , where rj E (n) = (q(n)/(q(n) — l))e(n). Similar to the proof 
of Corollary 14. 4[ the function l/a(n) is upper-bounded by 4p(n) 2 . Since log 2 M(n) £ and q(n) £ n ^, 

we can conclude that l/o~(n) is bounded from above by a certain polynomial in (n, q(n), log 2 M(n), l/e(n), log 2 (l/(l — 
5(n)))) . Now, apply Proposition 15.51 and we obtain an (£, e, 5)-quantum list-decoder V for C with list size 
polynomial in n. □ 

In the rest of this subsection, we shall give the proof of Proposition 15.51 This proposition follows directly 
from Theorem 14. 31 and the next key lemma, which states that any nearly phase-orthogonal code has a certain 
type of quantum codeword-state decoder. 

Lemma 5.6 Let C be any (M(n),n) q ( n y code family with a message space E* = UneN^™ suc ^ that M(n) > 
N(n) for all numbers n £ N, where N(n) — |E n |. Let n be any function from N such that < rj{n)N{n) < 1 
for any sufficiently large number n eff. If C is rj-nearly phase-orthogonal, then there exists a {l — rj(n)N(n))- 
guantum codeword-state decoder for C . 

Lemma 15.61 helps us prove Proposition 15.51 in the following fashion. Assuming the premise of the 
proposition, take i]'(n) and take a. Note that l/a(n) is upper-bounded by a certain polynomial in 
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(n, q(n), log 2 M(n), l/s(n), log 2 (l/(l — S(n)))). For an given 77-nearly phase-orthogonal code C, by Lemma 
15. 6i we obtain a (1 — 7/(71)) -quantum codeword-state decoder. Theorem 14.31 then guarantees the existence of 
an (I, e, <5)-quantum list-decoder for C whose list size is polynomial in (n, q(n), log 2 M(n), l/e(n), log 2 (l/(l — 
8(n)))). This list-decoder has query complexity of at most twice as many as the list size. This completes the 
proof of the proposition. 

To prove Lemma I5T51 we use the notion of pretty-good measurement (known also as square-root measure- 
ment or least-squares measurement) [T3||5T]. Let E n denote the n-by-n identity matrix. Before the proof, we 
note the following lemma, which can be obtained by following the proof of [3l Lemma 9.1], in which the case 
of real matrices is considered. Here, we treat every quantum state \<p) as a column vector. 

Lemma 5.7 Let 77 G [0, 1]. Let G = (Vi.j)i,je[N] be any complex symmetric N-by-N matrix with rjij = 1 and 
\Vi,j\ — £ f or a ^ P a * rs (hj) € I-^] 2 with i 7^ j. It then holds that 

N 

rank(G) ^ 1 + {N-I)ef 



Proof of Lemma 15.61 Fix n G N and k G ^t n y F° r simplicity, let In — [0,N(n) — l]z- For readability 
we omit the script "n" in the rest of this proof. We wish to construct a quantum algorithm A whose success 
probability of obtaining z from \C^) is at least 1 — 77 N whenever \(C^\C^)\ < r\ for any two distinct 
messages x, y G S n . 

We want to design A by following an argument of pretty good measurement [TH [ST] . Let S be the M-by-N 



matrix (|Cg fe ' ) ), \C\ K> ), . . . , ICjy^)), in which the ith column of S expresses the column vector {C^'). Notice 

that S\z)n — |C« ) for each z G Ijv, where \z)n denotes the TV-dimensional unit vector whose zth entry is 1 
and elsewhere. 

Note that S^S is an N-by-N matrix. We first show that rank(S^S') = N, which implies that all eigenvalues 
of S are non-zero. Setting G = S^S and e = 77, Lemma 15.71 gives 



ik(5 f 5) > 



N 



1 + (N — 1)t/ 



> (1 - {N - l)n 2 ) N > N - 1 



1 

N' 



We used the facts that 1/(1 + 6) > 1 — 5 for any 5 < 1 at the second inequality and 77 < l/N at the last 
inequality. Since the rank is an integer larger than N — 1 + (l/N), it should be exactly N, concluding that 
rank(£rtS) = N. 

Since S* S is Hermitian and positive definite, it has a set of positive eigenvalues, say {Ao, . . . , Aat_i}. Let 
Amin = niin{Ao, Ai, . . . , Aat_i} > 0. We claim that A m ; n is relatively large. 



Claim 2 A min >l-r)N. 



Proof. Let G = S^S, the N-by-N matrix (r]ij)ij, where 77,-^ = (C\ '\C ( - '). By our assumption, it follows 

that \rjij\ < 77 for any pairs (i,j). Since G is Hermitian, let G = J^ilo 1 ^fyi) (^Pil be a spectral decomposition 
of G for the eigenstates {\4>i)}i^i N ■ We then have 



min I (%b\G\ih) I = min 
IV>)ll=i |||V)ll=i 



JV-l 



i=0 



= A n 



Note that, for any state \ip) of the form J2iei N with complex numbers a/s, the value |(7/j|G|t/;)| equals 



1 ' X! '/<•..">./ 



^77|ai| 2 + r) it ja*aj +n j . i a*a l + r}\otjf 
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We then focus on the term J2»<j r /l a »| 2 + r li.j a i a j + Vj,i a j a i + il\ a j\ ■ We will show that the term is real 
positive. Let 7^ = TH,j /\Vi,j\- Since rjj.i = rj* - and 77 — \rjij\ > 0, we have 



l<3 



= k,jl)H 2 + (V~ \Vi,j\)\<Xj\ 2 + k,jl(H 2 + li,j a i a j +~iijOt*oii + \aj\ 2 ) 

i<j 



Therefore, we have 



mm |<V|G|V>|> 
II IV') 11=1 



i<j 



>l-r]N. 



□ 



We continue our proof of Lemma 15.61 Let 5 = PTQ^ be a singular-value decomposition (see, e.g., [23] ). 
where P is an M-hy-M unitary matrix, Q is an N-by-N unitary matrix, and T is an M-by-N matrix of the 
form ( o ) with the diagonal matrix T 1 — diag(VAo, \f\\ : ■ ■ ■ , yA/v^i)- We therefore have (z\mU S\z) ^ — 
(z\ M UPTQ^\z) N for any z £ I N . 

We define an M-by-M matrix U as U — RP^ , where the Af-by-M matrix R is 



Q O 
O E 



M-N 



It immediately follows that, for any z <E In , 



(z\ M US\z) N 



(z\ M RTQl\z 



N 



(z\m 



(z\m 



QT'Q^ 
O 



\ z )n 



Q O 

O Em-n 

(z\ N QT'Qi\z] 



T' 
O 



N- 



The desired quantum algorithm A applies U and then measures its result. The above calculation indicates 
that the probability of ,4's recovering z from \C Z ) is therefore lower-bounded by \{z\nQT'Q^\z) n\ 2 j which is 
at least Auiin- 

The above claim yields the desired conclusion. □ 



6 Circulant Codes 

To design quantum codeword-state decoders, Proposition l5. 51 gives a constructive but not time-efficint method 
for nearly phase-orthogonal codes. Under a certain condition, we can construct quantum codeword-state 
decoders that run in polynomial time. One of such conditions is "circulantness" of codes with a certain 
property. A circulant code family C = {Ci\i^ requires its associate matrices = (Ci(j))i.j(=fi to be 

"circulant." An example of such code families is the shifted Legendre symbol code SLS P described in Theorem 
12.31 Earlier, van Dam, Hallgren, and Ip 29J discussed, in essence, the quantum codeword-state decoding of 
SLS P in the context of hidden shift problems. With our notion of fc-shufHed codeword states, we take a general 
approach toward circulant codes and give a broader insight into their quantum list-decodability. 

6.1 Circulantness and Fourier Transforms 

We formally introduce the notion of circulant codes. First, we fix a positive integer n and let L n = [0, n — 1]%. 
An n-by-n integer matrix Q — {qij)ij£[ n ] is called the cyclic permutation matrix if q Ut i — 1, g^+i = 1 for any 
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index i S [n — 1], and the others are all zeros. Notice that Q n equals the identity matrix. A circulant matrix 
M is of the form X^gl a jQ J f° r certain complex numbers {&j}jeL„; in other words, the (z,j)-entry of M is 
aj-i mod n for each pair i, j e L n . 

Definition 6.1 (circulant code) A classical block code family C = {Ci}i 6 N with index sets {/ n }neN is 
said to be circuiting if, for every message length n€N, the matrix Mq^ = (Ci(i))i,j'ei n is circulant; namely, 
— X)!=d _1 ^o(*)Q l ) where Q denotes the M-by-M cyclic permutation matrix. 

Circulant codes are desirable candidates for quantum hardcore functions. We shall give the proof of 
Theorem 12. 3f 3) by exploiting the circulantness of SLS P . 

The (discrete and quantum) Fourier transform is one of the most useful operations in use. Notice that 
circulant matrices can be diagonalized by these Fourier transforms. Consider the quantum Fourier transform 
F„ over 7L n . Any circulant matrix M = ^2j eL a,jQ J can be diagonalized by F n as follows: 



(n-l)j 



F n 1 MF n = diag Y a J" w r7 = diag Y a i> a ^™' a ^ ■ " ' Yl 

\jeL n J ieL ^ \jeL„ jeL n jeL n jeL n 

From the definition of Mp"' in Definition 16.11 the transposed matrix (Mp 1 ')' = {Cj(i))ij e j n can be 
expressed as X^=o _1 ^o(|-^n| — 3 m °d \I n \)Q^ an d therefore it is also a circulant matrix. 

Now, we focus our attention on k-shuffled codeword states of circulant codes. Let C be any (M(n), n) g („) 
circulant code with a series {I n }neN of index sets. Consider /c-shuffled codeword states \c\ k ^). Conven- 
tionally, here we treat \C^) as the column vector [((l/-\/M)w^ C '*^)jez n ]* and (C^\ as the row vector 
((l/VMjwjy' 1 Gi )jei n ■ We use the notation Mk,c to denote the matrix ({C^), . . . , |CjS n , 1 )), which equals 



Mur- - V I 1 lt ,k-Co(M(n)-j madMjn)) \ qj 



and the conjugate transpose of Mk,c can be expressed as 



k.C 



Clearly, these matrices are circulant since so are the matrices (Ci(j))ij^i n and (Cj(i))i,jeJ„ • Therefore, as 
noted before, Mk,c can be diagonalized by the quantum Fourier transform Fm as follows: 



F^M^cFm = diag J= 



i<=I n 



Similarly, we obtain the following diagonalization: 



Fm^IcFm = diag f-L= ]T 



iei„ 



6.2 Proof of Theorem 123*1(3) 

We shall give the proof of Theorem 12.3( 3). Our proof relies on the next lemma, in which we prove that, if we 
can approximate efficiently the matrix FM^k,cF^ (described in the previous subsection), we can construct 
efficiently a codeword-state decoder for C. The lemma requires the notion of operator norm \\A\\ of a complex 
square matrix A, defined as ||A|| = sup^ >w .^ H ^ =1 \((f>\A\ip)\. 

^This notion is different from the codes that have circulant constructions (see, e.g., \25\ ). 
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Lemma 6.2 Let C be an (M(n), ?i)g(n) circulant code. Let k £ ^(n)> ^ ^ [0, 1] , and let D k denote 
FM{n)^k c^Mtn) ' ^ or eac ^ constant k G ^(n)> denote a linear operator such that \\D k — D k \\ < 5, 

w/iere||-|| denotes the operator norm. If D k is computable in time polynomial in (n, q(n), log 2 M(n)) 7 then C 
is (1 — 5) 2 -quantum codeword- state decodable in time polynomial in (n, g(n), log 2 M («))• 



Proof. Let fc G ^g( ra v ^ omitting the script "n," our desired codeword-state decoder Uk that outputs i 

from \c\ k) ) can be expressed in the form F^DuFm- Obviously, Uk is a linear operator that can be realized 
in time polynomial in (n, g,logM). 



Now, we wish to evaluate the success probability | (i\Uk\C^) | 2 of obtaining i by applying Uk to \C\ 
For convenience, let Afe = Dk — Dk- This A k satisfies the following inequality: 



.(fc)\ 



\(i\F^A k F M \cf } )| = \{{i\F^)A k (F M \C, 



(fc)\ 



< IIAfcll = \\D k -D h \\ <S. 



We then have 



\(i\U k \cl k) )\ = ^\F-lD k F M \c\ k) )\ 



> 



i\F^D k F M \a 



(*0\ 



[i\F^(D k + A k )F M \C^] 



F^A k F M \c\ k) ) 



which is further bounded by 

WWk\c\ k) ) 



> 



(c\ k) \c\ k) ) 



-||A fe || > 
6 = 1-5. 



mien 



(fc)v 



Thus, we can obtain i from |cj ) with probability at least (1 — 5) 2 . Since D k can be computed in time 
polynomial in (n, g,logM), our codeword-state decode also runs in time polynomial in (n, g,logM). □ 

With help of Lemma HOI together with Theorems 13.31 and !4.4[ we prove Theorem 12. 3^ 3). 



Proof of Theorem I2.3I T3) . We wish to give a polynomial-time (1 — s)-quantum codeword-state decoder for 
SLS P , where s is a certain negligible function. Theorems 13.31 and 14.41 then guarantee the quantum hardcore 
property of SLS P . 

Let fix n G N and consider a new code C defined as follows: let Ci(j) be SLS^j) (using "— i" instead 
of "i") for each pair i,j G /„. Since C is a circulant code, we hereafter consider its associated matrix 

To obtain a quantum codeword-state decoder for Ci, we use Lemma l6.2l First, we define a useful constant 
c p as follows: Cp = 1 if p = 1 mod 4, and c p — l (i.e., the unit of imaginary numbers) if p = 3 mod 4. This 
constant c p satisfies the following equation (see e.g. [10]): 



(«) 



v jer P v - p/ 



for any number a G [Q,p — 1]%. Let D 2 = F p l M\ q-^pj which equals 



D 2 = diag 



E 



-CoU) 



= diag 



E 1 - 1 - ;; 



because 



-Co(0) 



= 1 and 



-Co (3) 



f|j for any number j G F+. By (*), we have 



D 2 = diag \—+c p (- 



A- 1 1 jl -Co(l) 1 

= diag — , — + CpUJ 2 
iei n \VP VP VP 



+ C p ld 2 



Co(p-l) 
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We define our desired linear operator D 2 as D 2 = diag 
makes the operator norm ||Z>2 — -D2II equal 



(0, c p u 



-Co(l) 



, C P UJ 2 



Co(p-l) 



This definition 



\D 2 -D 2 \\ = 



diag (^"-"^ 



1 



How can we realize this D 2 ? The operator D 2 can be realized by the following polynomial-time algorithm. 

On input |«)|0), where i £ F 9 , compute c p \i)\Co(i)} in a reversible fashion. Apply the phase-shift 
transform that changes \i)\a) to Lo 2 a \i)\a). Uncompute \Ca(i)} in the last register and we obtain 
CpLJ 2 |i)|0). Finally, when i — 0, we reject the input. 

Therefore, Lemma 16.21 gives a (1 — 1/ v /p) 2 -quantum codeword-state decoder for C that runs in time polynomial 
in n. Since (1 — 1/y/p) 2 > 1 — 2/,/p, it suffices to define s(n) = 2/y/p. 

To list-decode SLS, since SLSf (j) = C-i(j), we first find —i from the codeword C-i(-) and then output i. 
This procedure gives rise to a quantum list-decoder for SLS P . □ 



Acknowledgments: The first author is grateful to Harumichi Nishimura for his pointing out an early error. 
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Appendix A: Proof of Lemma 15.31 

We give the proof of Lemma 15.31 Fix n arbitrarily and drop the subscript "n" for simplicity. For each index 
I G [0,q- l] z> we define df\C x ,C y ) = \{r e /„ | k(C x (r) - C y {r)) = £ mod q}\. Since F{\C {k) ), |cf >)) = 
\(C x k) \C y k) }\, it follows that 

F(|C«),|C«» = 



9-1 



> 



— • Id" ■ S Q k) {C X , Cy) + — ^ • ^ i.C X ,Cy 

1=1 

d(C x ,C y ) 1 sr^\ i Ak) (r r s 



= (1 - A(C x ,C y )) - A(C X , C y ) = l-2A(C x ,C y ), 

which gives the desired bound of the lemma. In particular, when q = 2, since cf k \c x ,C y ) — d(C x ,C y ) and 
lu 2 = -1, we obtain the equality F{\C x k) ), \C y k) )) = 1 - 2A{C X , C y ). 
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Appendix B: Proof of Lemma |3i4| 



For the proof of Lemma l3.41 we need to elaborate the brief description given in Section [3] on an interpretation 
of presence. 

For readability, we fix n and omit this n (for example, we write u q" instead of u q(n)") in the following 
proof. Let M — |7 n |. Let v be any quantumly corrupted word that O represents. We view this v as the real 
vector (v[0], v[l], . . . , v[M — 1]) in the Mq dimensional real space defined as follows: let v[r], the rth block of 
v, be (K, | 2 , |a nl | 2 , . . . , la,,,.!! 2 ) if 6\r) |0) |0 £ (")) = £ zgZ? a rtZ \r}\ Z )\<f> r<z ) . Let {C 1 ,C 2 , .. .,C m } be the set 
of all codewords that lie "close" to the given quantumly corrupted word. For each Cj, we define Ci to be the 
corresponding vector defined as follows: let Ci[r], the rth block of Cj, consist of zeros and one 1 at the zth 
component if Cj(r) = z. 

Let i S [to] be any index. We further introduce a new parameter (3 S [0, 1] and define to = (3 ■ v + ■ 1, 

where 1 is the vector of all Is. Note that (1 1 1) = Mq. Note also that the (Hamming) distance d(Ct , Cj ) between 
codewords Ci and Cj is lower-bounded by d. Moreover, we have (ft|v) = ^ r \a r cAr) | 2 = M ■ Pre^C), where 
(v\w) denotes the standard inner product of two vectors v and w. Note that (ft|ft) = M. 



For each i S [to], let Cj 



tu. We consider the set {ci}i 



We define the space K, = {x G 



Vr G In[J2zez x r,z — 0]}- Notice that {ci}i S [ m ] C /C and dim[fC) — M(q — 1). Moreover, let io be the 
projection of w onto /C. 

Let us first describe the following result stated in [20] . 

Lemma B. 1 20] Let {iti}i g [ m ] C M. K be to non-zero vectors such that (m\uj) < for any distinct pair 
i,j G [to]. Let 7 > 0. 

1. IfBv G R^Vi G [m][(v\ui) > 0], then to < K. 

2. J/Vi G [TO,][||ui|| = 1] and G [ro][i 7^ j — > < —7], i/iera to < 1 + 1/7. 
5. 7/3w G K^Vi G [m][(u|ui) > 0], then m<2K- 1. 



The First Upper Bound. Let be any distinct pair taken from [to]. The values (ci\w), (w\w), and 



(ci\cj) can be bounded as follows: 



/3(ftk) 



1-/3 



'ft 1 



/3MPreo(Ci) + 



1-/3 



M > (3 M I - + £ 



(w\w) = /3 2 (v\v) + 



2/3(1 - (3) 



v\l) + 



(1-/3) 2 



(1 1 1> < M/3 2 



M(l-/3) 



2M/3(1 - /3) M(l - (3f 



(c i \c j ) = M-d(C i ,C j ) <M-d. 



Let us consider the set {ci | i G [to]}. Now, the inner product (ft|cj) for a distinct pair i,j G [to] is estimated 
as 



(Ci\Cj) 



{Ci\Cj) + {w\w} - {a\w} - {Cj\w} 



< M — d + M(3 2 + 



2N(3(l-(3) M(l-/3) 5 



2M 



-+e)(3- 

q 



l-(3 



M\l 

q 



-d. 



For our convenience, we write d = (l — M (1 — S)M using an appropriate value S G [0, 1]. It thus follows that: 

2qe 



(gilfi,-) < M ( 1 - - 

w [ 1- i 

9 



r/3 + l 



- ] (1 - <5)M 



To apply Lemma QJl), we want to make (ci\cj) < 0. To do so, we require that /3 2 — ;p i y/3 + 5 < 0, which 
is equivalent to e > | ^1 — ~J ^/3 + . To minimize the value /? + jj, it suffices to take (3 = VS. By 
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replacing j3 by \J~8, we obtain e > V§ fl — |j. Since 5 = 1 — jj (l + ^ry), we obtain the bound e > 



Since Cj,w £ /C, we have (ci|w) = (£i\w). It thus follows that 



(£i\w) = (ci - w\w) = (ci\w) - (w\w) > [qe - 0(q - 1)] . 



Since [3 = VS, we have 



(ci\w) > 



lV6(l-~ \ -Vd{q-1) 



= o. 



This implies, by Lemma[ljl), that to < dim(JC) = M(q — 1). 



The Second Upper Bound. We show the second upper bound. Recall that (ci\cj) < 



M V 1 ~ « J r 2 ~ 1^ + ^ ' We choose P = so that ^ ~ FT/ 3 = ~^ 2 - If <5 < /3 2 = f fk) , then 
clearly, we have (cj|c,-) < M fl — (<5 — /3 2 ) < 0. Note that the condition 5 < (-^j) is equivalent to 



e > V~6 (l - i). Since «J = 1 - ^ (l + ^) = 1 - I7 ^ T7 , we obtain that e > (l - l) ^1 - ± (l + ^ 

as before. Since Y^i=\ a l — (V n ) (EiLi a «) 2 f° r an y real-valued series {ai} ie [„], we obtain that (v|i>) : 
SrSi l a r,i| 4 > M/q. Thus, is lower-bounded by 



(w\w) > 



M(3 2 2M(1 - (3) M(l - (3) 2 M 



Since Pre (5 (C l ) < 1, we obtain (a\w) < (3M + M(l - f3)/q. We also have 



Nl 2 = (Ci\ci) + (w\w) - 2(a\w) > M + 



M 



(3M 



M(l-/3) 



M I I - - ) (1-/3) 



By normalizing Cj, we write Uj = pTjr- Hence, we have 



(Cilcj) ^ M (l-l/q)(5-p) (3 2 -6 



< 



|| ^11 • || Cj || - M(l- 1-/3 
By Lemma[Tj2), since 1 — 1/q — s > 0, we conclude that 

1 1-/3 /3 2 -/3-£ + l 

TO < 1 + — r = — < 



/3 2 - S (3 2 -8 











Me 2 + 








M 







The Equality Case. Assume that e = ^1 — ~ J y 1 — ^1 + ^rjj , which is equivalent to s = 
y/6 (l — We want to show that to < 2M(q — 1) — 1 by applying Lemma [Ij3). Recall that ((k\cj) < 
/3 2 — |^-/3 + 5 . Taking /3 = (= v<5), we immediately obtain {c\\cj) < 0. Let us consider 



w £ JC. Since (ci\w) = (di\w), it follows that 

(cAw) = (cAw) - (w\w) 



M 



Nf}2 _ 2M/3(1 - /3) _ M(\ - /3) 2 



— [/3(1 + ge) + (1-/3)- q(3 2 - /3(1 - /?) - (1 - /3) 2 

q 
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Replacing (3 and e by the appropriate terms using 6, we have 



(Cj|U>) > — 



M 
<1 



Vd-8 



> 



because < 6 < 1. Hence, by Lemma[Tj3), we obtain that m — 2M(q — 1) — 1. 
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